Class: Authorio::Session

Inherits:

ApplicationRecord

• Object
• ActiveRecord::Base
• ApplicationRecord
• Authorio::Session

Defined in:

app/models/authorio/session.rb

Class Method Summary

• .find_by_cookie(cookie) ⇒ Object

  2.

Instance Method Summary

• #as_cookie ⇒ Object
• #expired? ⇒ Boolean
• #matches_cookie?(cookie) ⇒ Boolean

Class Method Details

.find_by_cookie(cookie) ⇒ Object

1. To guard against timing attacks, we lookup tokens based on a separate selector attribute and compare them using a secure time-constant comparison method

Raises:

• (Authorio::Exceptions::SessionReplayAttack.new)

# File 'app/models/authorio/session.rb', line 21

def self.find_by_cookie(cookie)
  selector, _token = cookie.split(':')
  session = find_by selector: selector
  raise Authorio::Exceptions::SessionReplayAttack.new, session unless session.matches_cookie?(cookie)

  session
end

Instance Method Details

#as_cookie ⇒ Object

# File 'app/models/authorio/session.rb', line 39

def as_cookie
  "#{selector}:#{token}"
end

#expired? ⇒ Boolean

Returns:

• (Boolean)

# File 'app/models/authorio/session.rb', line 35

def expired?
  expires_at < Time.now
end

#matches_cookie?(cookie) ⇒ Boolean

Returns:

• (Boolean)

# File 'app/models/authorio/session.rb', line 29

def matches_cookie?(cookie)
  _selector, token = cookie.split(':')
  cookie_hashed_token = Digest::SHA256.hexdigest token
  !expired? && ActiveSupport::SecurityUtils.secure_compare(cookie_hashed_token, hashed_token)
end